summaryrefslogtreecommitdiffstats
path: root/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
Commit message (Collapse)AuthorAgeFilesLines
* nginx: fix CVE-2025-23419Changqing Li2025-03-031-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | CVE-2025-23419: When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Refer: https://nvd.nist.gov/vuln/detail/CVE-2025-23419 This partially cherry picked from commit 13935cf9fdc3c8d8278c70716417d3b71c36140e, the original patch had 2 parts. One fixed problem in `http/ngx_http_request` module and the second fixed problem in `stream/ngx_stream_ssl_module` module. The fix for `stream/ngx_stream_ssl_module can't be aplied because, the 'stream virtual servers' funcionality was added later in this commit: https://github.com/nginx/nginx/commit/d21675228a0ba8d4331e05c60660228a5d3326de. Therefore only `http/ngx_http_request` part was backported. Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: fix CVE-2023-44487alperak2024-01-111-0/+2
| | | | | | | | | | | Upstream-Status: Backport from [https://github.com/nginx/nginx/commit/6ceef192e7af1c507826ac38a2d43f08bf265fb9] WARNING: nginx-1.24.0-r0 do_cve_check: Found unpatched CVE (CVE-2023-44487) This vulnerability exists between the following versions -> From(including) 1.9.5 Up to(including) 1.25.2 Signed-off-by: alperak <alperyasinak1@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: update versions for both the stable branch and mainlineDerek Straka2023-12-141-0/+6
| | | | | | | | Stable: None -> 1.24.0 Legacy Mainline 1.21.1 -> Removed Signed-off-by: Derek Straka <derek@asterius.io> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: upgrade 1.24.0 -> 1.25.1Wang Mingyu2023-07-201-6/+0
| | | | | | | | | | | | | | | | | Changelog: ========== *) Feature: the "http2" directive, which enables HTTP/2 on a per-server basis; the "http2" parameter of the "listen" directive is now deprecated. *) Change: HTTP/2 server push support has been removed. *) Change: the deprecated "ssl" directive is not supported anymore. *) Bugfix: in HTTP/3 when using OpenSSL. *) Feature: experimental HTTP/3 support. License-Update: Copyright year updated to 2023. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: upgrade to 1.24.0 releaseMichael Haener2023-07-111-0/+6
Brings nginx to the current stable version. Signed-off-by: Michael Haener <michael.haener@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-23 20:08:21 +0000